Security-typed languages promise to be a powerful tool with which
provably secure software applications may be developed. Programs
written in these languages enforce a strong, global policy of
noninterference which ensures that high-security data will
not be observable on low-security channels. Because noninterference
is typically too strong a property, most programs use some form of
declassification to selectively leak high security information,
e.g. when performing a password check or data encryption.
Unfortunately, such a declassification is often expressed as an
operation within a given program, rather than as part of a global
policy, making reasoning about the security implications of a policy
more difficult.

In this paper, we propose a simple idea we call trusted
declassification in which special declassifier functions are
specified as part of the global policy. In particular, individual
principals declaratively specify which declassifiers they trust so
that all information flows implied by the policy can be reasoned
about in absence of a particular program. We formalize our approach
for a Java-like language and prove a modified form of
noninterference which we call noninterference modulo trusted methods. We have implemented
our approach as an extension to Jif and provide some of our
experience using it to build a secure e-mail client.